Service abuse: Adobe Creative Cloud share from an unsolicited sender address

name: "Service abuse: Adobe Creative Cloud share from an unsolicited sender address"
description: "Detects messages from Adobe Creative Cloud in which the document originates from a newly observed email address. The email address is extracted from the HTML body."
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.email == "message@adobe.com"
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
  and any(html.xpath(body.html,
                     "//td[@style[contains(., 'adobe-clean-display')]]/strong/a/text()"
          ).nodes,
          strings.parse_email(.raw).domain.root_domain not in $org_domains
          and strings.parse_email(.raw).email not in $recipient_emails
          and strings.parse_email(.raw).email not in $sender_emails
          and not (
            strings.parse_email(.raw).domain.domain not in $free_email_providers
            and strings.parse_email(.raw).domain.domain in $recipient_domains
            and strings.parse_email(.raw).domain.domain in $sender_domains
          )
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Free file host"
  - "Evasion"
detection_methods:
  - "HTML analysis"
  - "Sender analysis"
  - "Header analysis"
id: "47e42ca1-aee3-527c-b9cd-a1384efc9334"